Try using the rules under the "optional_rules" directory as the name is misleading. There are some optional rules however the rules files that are named the same (such as modsecurity_crs_40_generic_attacks.conf) have "deny" actions.

From: OSSEC junkie To: mod-security-users@lists.sourceforge.net Sent: Wed Nov 26 16:58:11 2008Subject: Re: [mod-security-users] Rule Configuration Issue
Thank you for that. We will go ahead and take care of that. It makes perfect sense. When testing out mod_security, we see in the logs that generic XSS attacks we are manually tested are being logged but not blocked. How do we set it to block XSS attacks, and if possible, only XSS attacks?

We have lots of internally developed applications that we want to protect with mod_security however, legit strings that we use are being blocked by mod_security. We are getting error messages in the logs saying: Response body too large (over limit of 524288, total not specified)..

[Ryan Barnett] There are two main directives that control if/how you analyze Response Body payloads –

[Ryan Barnett] Even if you are only interested in identifying/blocking XSS attacks, you will still need to address the Response Body size issue as they are conflicting with global directive settings and not by any specific attack rules. Once you have addressed that issue, you can then simply take the XSS rule(s) from the existing modsecurity_crs_40_generic_attacks.conf file and copy/paste them into a new rules file (something like modsecurity_crs_15_customrules.conf) and then only call up it and the modsecurity_crs_10_config.conf files from the Apache httpd.conf file.